> It seems like BIND will cache something wrong when doing the first query
> with CD flag set, that makes it to answer inconsistently later on.
> 
> This behavior is causing validation to fail when such BIND is used as a
> forwarder.
> 
> I'm going to debug BIND to see what's happening. I know it will be like
> looking for needle in a haystack, that's why I'm reporting it to you
> before I have any more clues.
> 
> I would appreciate any hints where to look for the cause.

jsonformat.com is violating protocol.  Querying for NS or SOA gets NS
or SOA, but all other data types get CNAME.  You're not supposed to have
CNAME at the zone apex, or have it coexist with other data types at the
same node.  The nonvalidating query for A put the CNAME record into the
cache, and the nonvalidating query for DS found it -- the cache doesn't
know there's a zone cut there, so it doesn't know the CNAME shouldn't be
used to answer the DS query.

I don't think there's anything we can do about this without violating
protocol ourselves. jsonformat.com needs to get rid of that CNAME at
the apex.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.